Ottawa has released the final version of its data breach notification regulations, which confirms that companies covered by federal privacy law will have to keep records of breaches for 24 months.

The regulations were released today in the Canada Gazette, (starting on page 701). As previously announced, they will come into effect Nov. 1.

The regulations are the rules for companies to comply with changes to the Personal Information Protection and Electronics Documents Act (PIPEDA) made in 2015 in the Digital Privacy Act mandating private sector firms covered under federal law to disclose to affected parties and the federal Privacy Commissioner when they have suffered a breach of security controls over personal information that could result in a “real risk of significant harm” to the victim.

The release of the final regs means companies now have certainty in the reporting regime, said Imran Ahmad, a privacy law expert with the Miller Thomson firm. “Companies can now build their compliance structure around this. If you have a breach response plan, you haven’t [so far] built in mandatory breach notification. Now we have the final version and a date of implementation.”

The trigger for notification is meeting the standard of “real risk of significant harm.” That shouldn’t be hard for firms to determine, Ahmad said. It should be obvious if the personal data exposed are things like credit card information, social insurance number and date of birth. “Those are easy things to determine they will cause significant harm” to an individual. Experts have said information like this can be used for impersonation and fraud.

What will be harder for organizations to determine are the grey zone issues such as whether an individual will suffer reputational harm from a breach, he said. For example, he said, the release of names of people who were registered with the Ashley Madison dating site.

Privacy lawyer Barry Sookman of McCarthyTetrault predicted organizations may have trouble complying with the breach record retention requirement, which he called “overly broad. In fact in some instances there aren’t even systems to record it … Nobody knows how to comply with them.” Nor do the regulations put a reasonable cost limitation on how much organizations have to spend to record every breach of a security safeguard, he said.

“Companies are going to have to make decisions about how far they can go,” he said.

The new law enables the federal Privacy Commissioner to investigate whether organizations have reasonable data safeguards and proper record keeping. If there are problems a firm could be fined twice, Sookman pointed out.

Bradley Freedman, Vancouver-based privacy lawyer with the Borden Ladner Gervais law firm, noted the final regs are more flexible than the government’s proposals. For example, an organization can make an initial report of a breach to the Privacy Commissioner and then file a follow-up report. Also, companies will be able to notify victims in more ways than initially suggested, including in person, by regular mail and by telephone in addition to email. In addition the indirect ways people can be notified has been simplified. The original suggestion said a conspicuous message could be posted on a company web site for 90 days or a newspaper ad. The final regs reduce it to “public communication or similar measure that could reasonably be expected to reach the affected individuals.”

Another interesting change, he added, is that the draft proposal said such indirect notification could be given if the cost of directly notifying people was prohibitive. The final regulation says indirect notification could be give if it would be “likely to cause undue hardship” to the company. However that isn’t defined.

In an email Kris Klein, managing director of the Canadian banch of the International Association of Privacy Professionals (IAPP) said that the record-keeping that comes with the regulations will require organizations to beef up their privacy management programs. “But with all the time that has passed and with all the lengthy consultations that have taken place, the regulations cannot be a shock to anyone. Remember, as well, that Alberta has had this regime in place for years now, so there is precedent that we can learn from.

Klein, who is also founding partner of nNovation LLP, an Ottawa-based consultancy, said belives the privacy community is well prepared. “I know my clients have been working towards compliance for several years already.”

The coming into force of the notification obligations has been held up for three years while the government consulted with the public and the private sector on the rules.

Much of the detail over what companies have to do was already spelled out in PIPEDA. The only real questions were how long companies had to hold on to their reports, and when the regulations actually take effect. The government tipped its hand last fall when the draft regulations suggested a two year period for holding on to reports.

The report on a breach of safeguards companies have to keep is the same one they have to send the Privacy Commissioner, so there will be no double reports.

The regulations specify the minimum requirements for providing a data breach report to the Privacy Commissioner; specify the minimum requirements for notifying affected individuals of a data breach; and confirm the scope and retention period for data breach recordkeeping.

“Our government is committed to making sure that Canadians’ personal information is protected and secure,” Innovation minister Navdeep Bains said in a statement. “While digitization has empowered critical innovation, it has also presented us with new and uncharted opportunities and challenges. The new regulations will make companies more accountable and empower Canadian consumers.”

The regulations confirm direct notification must be given to the affected individual and the Privacy Commissioner “as soon as possible” in one of several ways: In person, by telephone, mail, email “or any other form of communication that a reasonable person would consider appropriate in the circumstances.”

That notification must include

(a) a description of the circumstances of the breach;
(b) the day on which, or period during which, the breach occurred or, if neither is known, the approximate period;
(c) a description of the personal information that is the subject of the breach to the extent that the information is known;
(d) a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach;
(e) a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and
(f) contact information that the affected individual can use to obtain further information about the breach.

The report to the federal Privacy Commissioner must include

(a) a description of the circumstances of the breach and, if known, the cause;
(b) the day on which, or the period during which, the breach occurred or, if neither is known, the approximate period;
(c) a description of the personal information that is the subject of the breach to the extent that the information is known;
(d) the number of individuals affected by the breach or, if unknown, the approximate number;
(e) a description of the steps that the organization has taken to reduce the risk of harm to affected individuals that could result from the breach or to mitigate that
harm.

However, the government rejected a request from the Commissioner that company reports to his office include their assessment of real risk of significant harm to an individual.

In a statement the Office of the Privacy Commissioner said that while the regulations will finally bring data breach reporting into force, “they represent limited progress in our view in protecting the personal information of Canadians.

“We would have liked to see an assessment of real risk of significant harm included as a requirement in both the records and reports to our Office. In part, because this would help to facilitate oversight and assist us in providing advice to organizations following a breach. That being said, we will still be paying particular attention to how organizations assess real risk of significant harm as reports are filed with our Office.”

“With respect to the timeline, we remain confident that businesses have had sufficient time to prepare and we would continue to encourage organizations to report privacy breaches to our office voluntarily, even before the regulations are in force.

PIPEDA says in determining the real risk of significant harm (privacy experts have already shortened this to RRoSH) the organization has to consider the sensitivity of the information involved, and the probability that the information will be misused. The law defines significant harm to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss and identity theft.